People who use or trade personal information obtained illegally can now be charged with an offence even if they did not perform the hacking to retrieve the data, after changes to cyber security laws were passed yesterday.

In amending the Computer Misuse and Cybersecurity Act, the Government is moving to keep pace with the evolving nature of cybercrime and criminal acts that target computer systems.

Besides criminalising the use of personal information obtained through illicit means, the changes also make buying or selling hacking tools for illegal activity a crime.

The revisions extend the Act's reach to offences committed abroad and to an overseas computer that lead to "serious harm" in Singapore.

In addition, prosecutors can now combine repeated instances of hacking into one computer for a period of 12 months or less into a single charge, which will allow a higher penalty to be imposed.

The changes "will allow the police to handle the increasing scale and complexity of cybercrime, as well as the evolving tactics of cyber criminals," said Senior Minister of State for Home Affairs Desmond Lee in Parliament yesterday.

They come ahead of a new Cybersecurity Act that should be introduced in the middle of this year.

It will require operators of critical information infrastructure to take proactive steps to secure their systems and networks.

SUPPORT

Ten MPs spoke in support of the Bill, pointing to recent breaches as grounds for tighter cyber security measures.

The Ministry of Defence (Mindef) said on Feb 28 that hackers had stolen the NRIC numbers, telephone numbers and birth dates of 854 personnel through a breach of its I-Net system.

Giving an update of the incident in Parliament yesterday, Second Minister for Defence Ong Ye Kung said the cyber breach was "consistent with a covert attack, with means used to mask the perpetrator's actions and intent".

Mindef had also said it ruled out casual hackers, criminal gangs and an inside job, leading experts to believe that foreign governments could be behind the attack.

Investigations are ongoing, but "findings will be kept confidential for security reasons", Mr Ong added.

The minister revealed that the breach occurred "weeks before detection", as he cited how the time taken before a breach is detected in other IT systems tends to be longer.

Referring to industry reports, Mr Ong said it takes an average of about 150 days, or five months, before a breach is discovered.

He said the I-Net system contains no classified information, and that networks that contain sensitive military information are physically separated from the Internet and protected with encryption and access controls.

Mr Ong said Mindef and the SAF will develop better assessment tools, data analytics and content scanning engines to fend off cyber attacks.

Several MPs raised concerns about the implementation of the new cybercrimes Bill.